CVE-2023-27492Allocation of Resources Without Limits or Throttling in Envoy

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption2 documents2 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 92.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedApr 4

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering al

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDenvoyproxy/envoy1.23.01.23.6+3
CVEListV5envoyproxy/envoy>= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3+2

📋Vendor Advisories

1
Red Hat
envoy: Crash when a large request body is processed in Lua filter2023-04-04
CVE-2023-27492 — Envoyproxy Envoy vulnerability | cvebase